[PATCH v4 04/18] mshv: Add NULL check for vp in mshv_try_assert_irq_fast

Next message: Neil Armstrong: "Re: [PATCH 05/16] arm64: dts: amlogic: Add EL2 virtual timer interrupt"
Previous message: Kartik Rajput: "[PATCH 3/4] clocksource/drivers/timer-tegra186: Register all accessible watchdog timers"
In reply to: Stanislav Kinsburskii: "[PATCH v4 03/18] mshv: Fix race in mshv_irqfd_deassign"
Next in thread: Stanislav Kinsburskii: "[PATCH v4 15/18] mshv: Defer mshv_vp free to an RCU grace period"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Stanislav Kinsburskii

Date: Thu May 07 2026 - 11:47:43 EST

mshv_try_assert_irq_fast() dereferences the vp pointer obtained from
pt_vp_array[lapic_apic_id] without checking for NULL or validating that
lapic_apic_id is within bounds. A spurious interrupt from the hypervisor
targeting a non-existent VP (or one not yet created) causes a NULL
pointer dereference and crashes the host.

Add a bounds check on lapic_apic_id against MSHV_MAX_VPS and a NULL
check on the vp pointer before dereferencing.

Fixes: 621191d709b14 ("Drivers: hv: Introduce mshv_root module to expose /dev/mshv to VMMs")
Signed-off-by: Stanislav Kinsburskii <skinsburskii@xxxxxxxxxxxxxxxxxxx>
---
drivers/hv/mshv_eventfd.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/drivers/hv/mshv_eventfd.c b/drivers/hv/mshv_eventfd.c
index 5995a62aff8d8..b398e58411dd7 100644
--- a/drivers/hv/mshv_eventfd.c
+++ b/drivers/hv/mshv_eventfd.c
@@ -169,7 +169,12 @@ static int mshv_try_assert_irq_fast(struct mshv_irqfd *irqfd)
return -EOPNOTSUPP;
#endif

+ if (irq->lapic_apic_id >= MSHV_MAX_VPS)
+ return -EINVAL;
+
vp = partition->pt_vp_array[irq->lapic_apic_id];
+ if (!vp)
+ return -EINVAL;

if (!vp->vp_register_page)
return -EOPNOTSUPP;